X

Best Practices from Oracle Development's A‑Team

Connecting to Oracle Analytics Cloud Private Endpoint with VPN / FastConnect

Validated September 28, 2020 with OAC 5.8

Introduction

Oracle Analytics Cloud (OAC) may now be provisioned within a Virtual Cloud network (VCN) with a private IP address.

This post is a step-by-step guide for connecting to a private OAC via VPN and / or FastConnect Private Peering. Connections are made via OAC's URL.

For a post about provisioning OAC with a private endpoint click here. This post assumes the same compartmental privileges are in place.

Validations

September 28, 2020 with OAC 5.8

Topics

Before You Begin

Securing Access to OAC

Provisioning a Dynamic Routing Gateway

Provisioning VPN or FastConnect

Routing OAC Return Traffic through the DRG

Choosing a Domain Name System Method

Updating Your On-Premise DNS

Connecting to OAC with a Private Endpoint

 Before You Begin

The provisioning process provided the following initial architecture.

In this post the source network is assumed to be a portion your own-premise network. Ensure that the IP addresses denoted by the CIDR block of the source network does not overlap with those used by the Virtual Cloud Network (VCN) hosting OAC. CIDR is an acronym for Classless Inter-Domain Routing, a method of allocating IP addresses developed by the Internet Engineering Task Force.

Network engineers responsible for your on-premise network must be available to perform the necessary configurations to connect to the VCN hosting OAC and to the associated Identity Cloud Service (IDCS).

 Securing Access to OAC in a Private Subnet

A security list ingress rule is required to opens https port 443 for access using the OAC URL. A security list acts as a virtual firewall for the subnet containing OAC, with ingress and egress rules that specify the types of traffic allowed in and out. Refer here for information on creating security lists.

In this example ingress is restricted to the source network CIDR block. Not shown is a rule for unlimited egress.

 

Associate the Security List

Navigate to the OAC subnet and under Security Lists click Add Security List.

Accept the default Security List Compartment

From the drop-down select the Security List created above

Click Add Security List

 Provisioning a Dynamic Routing Gateway

A Dynamic Routing Gateway (DRG) attached to your VCN is a virtual router that provides a path for private traffic between your VCN and on-premises network via VPN and or / FastConnect. Refer here for information on creating and attaching a DRG. 

Below is an example of a provisioned and attached DRG:

 Provisioning VPN and or FastConnect

Provisioning VPN and/or FastConnect requires participation from your on-premise network engineers. You set up the cloud components required. A network engineer (or similar function) configures your customer-premises equipment (CPE) device with information you provide.

VPN

VPN Connect provides a site-to-site IPSec VPN between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives. You choose between static routing and BGP dynamic routing.

When using BGP the DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets. When using an optional Service Gateway public services residing in the Oracle Services Network are advertised.

Refer here for information on provisioning VPN Connect.

FastConnect

FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options, and a more reliable and consistent networking experience compared to internet-based connections. 

FastConnect offers private peering and public peering. This post assumes you are using private peering with all private traffic passing through the DRG. Refer here for information on provisioning FastConnect.

Routing

Ensure that your network engineers set up the appropriate routing to OAC via the DRG using the CIDR block of the OAC VCN or the OAC subnet.

 Routing OAC Return Traffic through the DRG

If OAC receives a connection that requires authentication it sends the URL for IDCS back to the initiator. The routing for this return traffic is done via a route table that is attached to the subnet hosting OAC. Refer here for information on provisioning route table rules.

After creating a route table rule attach it to the subnet hosting OAC:

Navigate to the OAC subnet and click Edit

Select the route table containing the rule for the list

Click Save Changes

Below are examples of a route table rule and a route table attachment.

 Choosing a Domain Name System Method

A Domain Name System (DNS) Address Mapping record (A Record) stores a hostname and its corresponding address. For a private OAC this record is stored in the hosting VCN's DNS resolver and is not publicly available. There are several resolution methods to choose from. Two of them are described below. Both require configuration of your on-premise DNS.

On-premise DNS Resolver

This method inserts the OAC A Record into your on-premise DNS. How it works:

A DNS query to resolve the OAC name is initiated from an on-premises resource to your on-premise DNS server.

Your on-premise DNS server resolves the name and sends the IP address back to the on-premises resource.

On-premise routing then sends the traffic through VPN and / or FastConnect to the OCI DRG where it flows through to OAC.

This method is simplest but creates a duplicate OAC A Record which must be kept in sync with OCI's record. 

On-premise Conditional Forwarding

This method inserts a conditional forwarding statement into your on-premise DNS based on OAC's domain name. How it works:

A DNS query to resolve the OAC name is initiated from an on-premises resource to your on-premise DNS server.

Your on-premise DNS server detects the OAC domain and forwards the request to a DNS virtual machine (VM) in the OAC VCN.

The DNS VM forwards the request to the built-in VCN DNS resolver (169.254.169.254), which is only accessible from within the Oracle Cloud VCN.

The VCN DNS resolves the name, sends the IP address back to the DNS VM which sends it back to the on-premises DNS which finally sends it back to the on-premises resource.

On-premise routing then sends the traffic through VPN and / or FastConnect to the OCI DRG where it flows through to OAC.

This method is more complex but ensures a single source-of-truth for the OAC A Record.

 Updating Your On-Premise DNS

Your network engineers update your on-premise DNS. The procedure differs depending on the type of DNS.

On-premise DNS Resolver

Inserting an A Record must at a minimum contain the OAC hostname and the OAC IP address. These can be viewed from the OCI Console:

Navigate to your Analytics Instance

Click on Additional Details. The hostname and IP address are displayed as shown below.

On-premise Conditional Forwarding

Provision a DNS VM

A production implementation entails creating a dedicated regional subnet for DNS VMs, sizing them as needed, and creating multiple VMs across availability domains for high availability.

For development purposes, a small Linux VM can be provisioned in the same subnet as OAC. Refer here for information on provisioning VMs. After it is provisioned make a note of the private IP address as shown below

Route DNS VM Traffic for Yum

Route traffic to Yum (Linux Installer) through an Internet Gateway if using a public subnet or through either a NAT or Service Gateway if using a private subnet. Below is an example rule added to the OAC subnet route table.

Secure Access to the DNS VM

Default DNS traffic flows on port 53 using the UDP protocol. Below are example security rules allowing SSH and UDP traffic from on-premise through the DRG.

Install a DNS Application

SSH into the DNS VM and install a DNS application of your choice. Below are sample commands to install dnsmasq. There is no additional configuration required. All requests received are forwarded by default to the VCN's DNS resolver.

sudo su -
yum install dnsmasq -y
firewall-cmd --add-port=53/udp
firewall-cmd --permanent --add-port=53/udp
systemctl enable dnsmasq
systemctl restart dnsmasq
exit

Route DNS VM Return Traffic through the DRG

No additional routing is required if the DNS VM is provisioned in the OAC subnet. If in a different subnet create a new rule using the OAC rule format.

Update Your On-Premise DNS

Conditional Forwarding must at a minimum contain a portion (labels) of the OAC hostname that can be uniquely forwarded and the IP address of the DNS VM in OCI.

Ensure routing to the DNS VM through the DRG. 

This example statement from the dnsmasq application forwards all hostnames ending with analytics.ocp.oraclecloud.com to the DNS VM with IP address 10.0.4.37

server=/analytics.ocp.oraclecloud.com/10.0.4.37

 Connecting to OAC with a Private Endpoint

Connections using the OAC URL may now be made to OAC from browsers, Remote Data Gateway, and custom applications via a DRG using VPN and / or FastConnect. The completed architecture is shown below.

 Summary

This post described the steps required to connect to a private OAC via VPN and / or FastConnect Private Peering. 

For other posts relating to analytics and data integration visit http://www.ateam-oracle.com/dayne-carley

 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha